This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
yuvalmamka
Employee
Employee
‎2024-01-03 01:44 AM

CloudGuard AppSec Provides Zero-day Protection for MOVEit CVE-2023-36934

MOVEit Transfer is a secure file transfer software designed to enable businesses to manage critical file transfers through a centralized platform.
 

During 2023 many new CVE were found in the software, mainly utilizing SQL Injection and XSS technics. Considering the widespread adoption of the software globally, it is nessasery to have sufficient layers of security that can provide prevention during the zero day phase (pre-emptive security) – before the vulnerability become known to the public, and the CVE number is assigned.

 

d94894_285f46685a61475a919d949bc8ab63c0~mv2.png

Understanding CVE-2023-36934

CVE-2023-36934 was published on 2023-07-05 and assigned with a high CVE Base score of 9.1 (Critical). The Vulnerability allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

The vulnerability is specifically located in the /human.aspx and machine.aspx endpoints. Publicly available Proof of Concept (POC) examples offer insights into the exploitation of this vulnerability.

A publicly available POC developed by ProjectDiscovery illustrates the exploitation process through a four-step approach:

d94894_b1841edd0c724a31bda23f4f8d55737e~mv2.png

Source: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36934.yaml

 

1. First POST Request to /human.aspx:

  • Details: The SQL commands in the URL are designed to insert a new session with the specified session ID ({{session_cookie}}) and update various session attributes such as Username, LoginName, RealName, InstId, IpAddress, LastTouch, DMZInterface, Timeout, ResilNode, and AcctReady

  • Goal: The goal is to create a new session in the database with elevated privileges and specific attributes, effectively positioning the session as a legitimate and authorized user.

 

2. Second POST Request to /human.aspx with ep Parameter:

  • Details: The transaction is set to passchangerequest.

  • Goal: Setting the parameter passchangerequest that triggers the corresponding vulnerable function which can run the SQL Injection code

 

3. Third POST Request to /machine.aspx

  • Details: It includes a cookie with the session information (ASP.NET_SessionId={{session}}), using the manipulated session from the previous steps.

  • Goal: To execute the SQL injection using the previously manipulated session variables.

 

4. Fourth POST Request to /api/v1/auth/token

  • Details: The request targets an API endpoint, using credentials and the session cookie to request an access token.

  • Goal: To acquire an access token for authenticated access within the application, leveraging the privileges obtained through the SQL injection

 

WAF Pre-emptive protection

It is crucial to minimize the 'Vulnerability Window' - the period between the initial discovery of a vulnerability (the zero-day phase) and the implementation of remediation measures, such as software updates or WAF signature rule updates.
Among the four steps outlined in the CVE-2023-36934 exploit, only the first one exhibits clear indicators of a SQL Injection (SQLi) attack, making it the primary target for preemptive detection and blocking.
 
To evaluate this, an AppSec Agent was deployed in a test environment. We deactivated the IPS rule model and replicated the attack using the POC reference.  
 

Our findings revealed that both open-appsec and CloudGuard AppSec effectively provide preemptive protection against CVE-2023-36934, demonstrating their capability to secure systems before vulnerabilities are widely known, exploited, or any remediation actions become available.

bc6682_c9f8394f1254476f9b12f948be103949~mv2.png
 

Summary

This blog examined CVE-2023-36934, a critical vulnerability in MOVEit Transfer software. We detailed the vulnerability's exploitation mechanism and the importance of closing the 'Vulnerability Window', the period between vulnerability discovery and remediation.

A test was conducted with open-appsec/CloudGuard AppSec, revealing their ability to offer preemptive protection against this vulnerability, even before widespread awareness or remediation actions. This underscores the crucial role of advanced security systems in defending against zero-day threats.

 

This post was written by Boris Rozenfeld and published on https://www.openappsec.io/post/zero-day-protection-for-moveit-cve-2023-36934

0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events